LDAP authentication fails with "invalid DN"

Description

I've read http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html - http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html and tried many configuration options but still couldn't get it to work. Numerous posts in blogs and forums reporting similar issues with LDAP authentication didn't help much. I have seen a similar issue reported earlier [https://jira.codehaus.org/browse/GEOS-5999" title="LDAP/AD not authenticating" class="issue-link" data-issue-key="GEOS-5999">GEOS-5999 and one more that I can't find anymore..

Here's as far as I could get:

(see stacktrace1.txt attached)

and the following gets logged in slapd syslog:

Jan 29 10:52:05 cgsrv4 slapd

If I try to fully qualify the user lookup pattern (uid=
{0}
,ou=Users,dc=arrc,dc=csiro,dc=au) as some forum posts suggest I get the following with nothing logged in slapd logs (it looks like it doesn't even get there):

(see stacktrace2.txt attached)

Any help of suggestions where do I need to look at will be highly appreciated.

Environment

None

Activity

Show:
ddsd
February 23, 2016, 9:32 AM

To check the structure of your ldap organization, you can use ldapsearch command (on linux).

ldapsearch -h cg-admin.arrc.csiro.au -p 636 -x -b "ou=Users,dc=arrc,dc=csiro,dc=au"

You may post some parts of the result to help us find what's wrong with your configuration.

Alex Leith
February 25, 2016, 5:01 AM

I've got what seems to be a similar issue happening when I try to set up LDAP auth.

My situation is using AWS Directory Service and GeoServer 2.8.2. I'm running GeoServer on a Windows machine on AWS, and the machine is currently attached to the LDAP server, logged in as an admin. I can query LDAP from the machine. GeoServer fails with any combination of configuration I use with the error 'javax.naming.AuthenticationException: Cannot authenticate Administrator'.

Logs look pretty innocuous, and are similar to those attached to the bug.

As I said, I've tried practically every single combination of DN/OU/CN/User={0}/name={0} ... query.

I'd love to see if we can find a solution to this issue.

ddsd
February 25, 2016, 9:01 AM

This is not the same issue, you have a "bad credential" error in the log file which meens that your login/pass are wrong.
I think you should open another ticket and you should also post:

  • screenshots of your ldap configuration pages

  • results of ldapsearch commands to be sure of your ldap structure

without this elements it's hard to know what's wrong in your configuration.

Andrea Aime
March 4, 2016, 6:16 PM

Hi, if you are pressed for a fix we'd be thrilled if you could "do it yourself" and contribute back the changes? Or if you cannot but are still in a hurry you might want to check here http://geoserver.org/support/

Alex Leith
March 5, 2016, 12:04 AM

Hey Damien and Andrea, I'll look into this further soon and try to document my situation.

I'd love to contribute a fix, Andrea! I'll need to set up a dev environment, and I'm not there yet. Hopefully I can find time to do that at some point.

Assignee

Unassigned

Reporter

codehaus

Triage

None

Fix versions

None

Affects versions

None

Priority

Highest
Configure